Easy Understandings of Known-Key Attacks

Formalizing Known-Key “Distinguishers” - New Attacks on Feistel Ciphers

Yu Sasaki and Kan Yasuda NTT Corporation

CRYPTO 2010 Rump Session 17/Aug./2010 @ UCSB 1. Formalizing Known-Key “Distinguishers” - New Attacks on Feistel Ciphers 2.

Yu Sasaki and Kan Yasuda NTT Corporation

CRYPTO 2010 Rump Session 17/Aug./2010 @ UCSB (3-bit) Block Cipher Key Dependent Permutation 1 2 3 4 5 6 7 8 Plaintext

BLOCK CIPHER KEY

1 2 3 4 5 6 7 8 Ciphertext (3-bit) Block Cipher Choose a key. Permutation is fixed. 1 2 3 4 5 6 7 8 Plaintext

KEY

1 2 3 4 5 6 7 8 Ciphertext Attacker’s Goal on Block Ciphers Distinguish / Key Recovery 1 2 3 4 5 6 7 8 Plaintext Adv.

??? Secret

1 2 3 4 5 6 7 8 Ciphertext Attack Models (Classic) Differential Attack 1 2 3 4 5 6 7 8 Plaintext

???

1 2 3 4 5 6 7 8 Ciphertext Attack Models (Classic) Differential Attack 1 2 3 4 5 6 7 8 Plaintext

???

1 2 3 4 5 6 7 8 Ciphertext Attack Models (Adaptively Chosen) Boomerang Attack 1 2 3 4 5 6 7 8 Plaintext

DP1

???

DC2 DC1

1 2 3 4 5 6 7 8 Ciphertext Choose adaptively Attack Models (Adaptively Chosen) Boomerang Attack 1 2 3 4 5 6 7 8 Plaintext

DP1 DP2

???

DC2 DC1

1 2 3 4 5 6 7 8 Ciphertext Choose adaptively Attack Models (Related-Key) Related-Key (Differential) Attack 1 2 3 4 5 6 7 8 Plaintext

DP1 ?A?

Relation ?B?

1 2 3 4 5 6 7 8 Ciphertext Attack Models (Related-Key) Related-Key (Differential) Attack 1 2 3 4 5 6 7 8 Plaintext

DP1 Encrypt with B ?A? Encrypt with A ?B?

DC1

1 2 3 4 5 6 7 8 Ciphertext • More and more complicated attack models are considered to recover the key. • More and more complicated attack models are considered to recover the key.

• Another simple attack model: Known-Key Attack

The concept was proposed by Knudsen and Rijmen at Asiacrypt 2007. Known-Key Model

1 2 3 4 5 6 7 8 Plaintext

???

1 2 3 4 5 6 7 8 Ciphertext Known-Key Model The key is given to the attacker !! 1 2 3 4 5 6 7 8 Plaintext

??? KEY

1 2 3 4 5 6 7 8 Ciphertext Known-Key Model The attacker can do everything !! 1 2 3 4 5 6 7 8 Plaintext

KEY distinguish recovery encryption decryption 1 2 3 4 5 6 7 8 Ciphertext Known-Key Model The attacker can do everything !! 1 2 3 4 5 6 7 8 Plaintext

KEY distinguish recovery encryption decryption 1 2 3 4 5 6 7 8 Ciphertext What’s the point?? Undesired Situation secure? if the fixed permutation is identity map 1 2 3 4 5 6 7 8 Plaintext

KEY Randomly chosen key

1 2 3 4 5 6 7 8 Ciphertext Undesired Situation secure? if the fixed permutation has strong bias 1 2 3 4 5 6 7 8 Plaintext

KEY Randomly chosen key

1 2 3 4 5 6 7 8 Ciphertext Undesired Situation secure? if the fixed permutation has strong bias 1 2 3 4 5 6 7 8 Plaintext

KEY Randomly chosen key

1 2 3 4 5 6 7 8 Ciphertext Known-Key Attacks Goal is different. No secret any more!! • Evaluate whether or not the fixed permutation with a randomly chosen key is ideal. • Useful because block ciphers are often used as key-less primitives such as hash functions.

Plaintext Key Message Constant Block Hash Cipher Block Function Block cipher cipher Ciphertext Digest Secure Secure Our Recent Results Our Results 1 • Give a formalization of known-key attacks which can cover all previous results. • Show the separation of known-key and secret-key settings. Ciphers secure in Ciphers secure in secret-key model known-key model

security in one security in the other Our Results 2 • Known-key attacks up to 11-rounds of Feistel-SP

Feistel Previous [KR07] K K • Round function F : f F • 7 rounds are not ideal. K S-layer P-layer Ours F S K MDS S • Round function F : S • 11 rounds are not ideal. Conclusions

• Known-key distinguishers are useful tools to evaluate the security of key-less primitives.

• Our recent work – Formalization – Separation of secret/known key settings – Attacks on 11-rounds of Feistel-SP

Thank you for your attention !!